CVE-2021-47904 Overview
CVE-2021-47904 is an authenticated file upload vulnerability affecting PhreeBooks 5.2.3, an open-source accounting and ERP solution. The vulnerability resides in the Image Manager component, which fails to properly validate uploaded file types. This allows authenticated attackers to upload malicious PHP web shells and achieve remote code execution on the underlying server.
Critical Impact
Authenticated attackers can upload malicious PHP files through the Image Manager, enabling full remote code execution and complete server compromise.
Affected Products
- PhreeBooks 5.2.3
- PhreeBooks Image Manager Component
- PHP-based web servers running PhreeBooks
Discovery Timeline
- 2026-01-23 - CVE CVE-2021-47904 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2021-47904
Vulnerability Analysis
This vulnerability is classified as CWE-434: Unrestricted Upload of File with Dangerous Type. The Image Manager functionality in PhreeBooks 5.2.3 lacks proper server-side validation of uploaded file types, allowing attackers to bypass intended restrictions and upload arbitrary files including executable PHP scripts. Once a malicious file is uploaded, the attacker can access it directly through the web server, triggering execution of the embedded code with the privileges of the web server process.
The attack requires authentication to access the Image Manager feature, but any authenticated user with access to this functionality can exploit the vulnerability. Given that PhreeBooks is accounting software often containing sensitive financial data, compromise of the application server could lead to significant data breaches, financial fraud, or lateral movement within the network.
Root Cause
The root cause is inadequate file upload validation in the Image Manager component. The application fails to implement proper server-side checks for uploaded file content and extensions. Instead of using a whitelist approach to restrict uploads to legitimate image file types (e.g., .jpg, .png, .gif), the application either performs no validation or relies solely on client-side controls that can be easily bypassed.
The absence of content-type verification (magic byte checking), filename sanitization, and execution prevention in the upload directory creates a direct path to remote code execution.
Attack Vector
The attack is conducted over the network and requires low privileges (authenticated user access). An attacker must first authenticate to the PhreeBooks application, then navigate to the Image Manager functionality. By crafting a malicious HTTP request, the attacker uploads a PHP file containing a web shell payload instead of a legitimate image file.
The malicious file is stored in a web-accessible directory without proper sanitization. The attacker then accesses the uploaded file directly via its URL, causing the web server to execute the PHP code. This grants the attacker command execution capabilities on the server, potentially leading to complete system compromise.
For technical details and proof-of-concept information, refer to the GitHub PoC Repository and the VulnCheck Advisory.
Detection Methods for CVE-2021-47904
Indicators of Compromise
- Presence of unexpected .php files in image upload directories (commonly /images/, /uploads/, or similar paths)
- Web server access logs showing requests to newly created PHP files in upload directories
- Suspicious POST requests to the Image Manager endpoint with non-image content types
- Unusual process execution from the web server user context (www-data, apache, nginx)
Detection Strategies
- Monitor file system changes in web-accessible upload directories for creation of executable files
- Implement web application firewall (WAF) rules to detect PHP code patterns in file upload requests
- Review web server logs for sequential patterns of file upload followed by immediate access to the uploaded path
- Deploy file integrity monitoring (FIM) on the PhreeBooks installation directory
Monitoring Recommendations
- Enable verbose logging for the PhreeBooks application and the underlying web server
- Configure alerts for new executable file creation within the web application directory structure
- Monitor outbound network connections from the web server for potential command-and-control communication
- Implement anomaly detection for user behavior, particularly around the Image Manager functionality
How to Mitigate CVE-2021-47904
Immediate Actions Required
- Restrict access to the Image Manager functionality to only essential administrative users
- Review the upload directory for any suspicious PHP files and remove any unauthorized content
- Implement network segmentation to limit the impact of potential server compromise
- Consider temporarily disabling the Image Manager feature until a patch is applied
Patch Information
Users should check the PhreeSoft Homepage for security updates or upgraded versions that address this vulnerability. Review the VulnCheck Advisory for additional remediation guidance. If no official patch is available, consider migrating to an alternative solution or implementing the workarounds below.
Additional technical details are available at Exploit-DB #46645 and Exploit-DB #49524.
Workarounds
- Configure the web server to deny execution of PHP files in the upload directory using .htaccess or equivalent server configuration
- Implement additional server-side file type validation at the web server or reverse proxy level
- Deploy a web application firewall (WAF) to filter malicious upload attempts
- Restrict the Image Manager functionality through application-level access controls
# Apache configuration to prevent PHP execution in upload directory
# Add to .htaccess in the upload directory or VirtualHost configuration
<Directory "/var/www/phreebooks/images">
php_admin_flag engine off
<FilesMatch "\.php$">
Require all denied
</FilesMatch>
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
